MCP Servers Expose AI Agents to RCE Risk

According to a whitepaper by Noma Security, as reported by Help Net Security on May 5, 2026, researchers analysed hundreds of popular MCP servers and Skills and found widespread risky capabilities. The reporting states that approximately one in four MCP servers expose functionality that can be abused for remote code execution or other state-changing operations. The analysis flagged the ability to change state or data as the single most prevalent risk across both extension mechanisms. The Help Net Security article also documents named incidents and five toxic combination patterns where multiple capabilities chain to produce data leakage or destructive outcomes.

Per the Noma Security whitepaper (summarised by Help Net Security), the report draws a distinction between two extension mechanisms used by agents: MCP servers, which expose deterministic code functions with structured, loggable invocations, and Skills, which are textual instruction sets loaded into a model's reasoning context. The whitepaper notes an observability gap: MCP calls can be monitored end-to-end, while Skill-driven actions occur inside the model's reasoning where traditional observability tools cannot directly trace which instruction produced a downstream effect. The researchers evaluated tools against eight risky capability categories and report that most widely used Skills include at least one risky characteristic; many enterprise MCP deployments contain high-risk capabilities and arbitrary code execution vectors.

Editorial analysis: Companies operating fleets of AI agents typically connect dozens to hundreds of third-party tools or internal connectors. Public reporting frames the problem as not only individual vulnerable endpoints but also the combinatorial risk when multiple capabilities chain together, as exemplified by incidents like the ContextCrush example cited in the coverage. Observers will note that Skills, being text-based and often pinned as static files, present different supply-chain attack surfaces than MCPs that fetch @latest packages, which the whitepaper highlights as an asymmetry in update behavior.

Editorial analysis: Practitioners and security teams should monitor four indicators:

• •the inventory and privilege scope of connected MCP servers
• •whether Skills are treated as auditable artifacts with versioning
• •telemetry that correlates agent prompts, tool invocations, and downstream effects
• •deployment patterns that fetch mutable packages at load time. Public reporting does not attribute organisational intent or specific remediation roadmaps to the vendors analysed; Noma Security's whitepaper provides examples and named patterns but the coverage does not include vendor responses or coordinated disclosures